12/10/2013

Does Jailbreaking mobile devices help security?

There are almost always multiple sides to any debate in software security. For that reason I find myself saying "It depends" far more than I may expect. I came across https://isios7jailbrokenyet.com/ a couple days ago and the question of whether this would help or hurt security popped into my mind. This debate, like many others is worth digging into:

As a Security Professional, I try to determine which side of the debate will ultimately benefit the security community as well as end users the most by making the Internet, software, and devices safer. This often entails thinking about the pros and cons of a question from multiple perspectives.

In my mind there are a number of reasons why a broken jailbroken iOS7 device is beneficial. Here are a few off the top of my head.

Research is beneficial and should be rewarded, full stop. Research helps the security community to learn about new attack and exploitation vectors so we can help defend and build more secure software. Research helps push forward new knowledge and understanding of software and hardware. Research benefits the end user by creating more secure and hardened hardware and software systems than ever before.

It is for those reasons why Security Engineers at Security Innovation have generous budgets and allocated time to do their own unique security research. Not everybody in the community has the opportunity to get paid to do their own research, so it is important to create a reward fund to help cover some of the research costs entailed in discovering a new vulnerability like the one that may allow us to jailbreak iOS7.

Ultimately, money talks. There are numerous bug bounty programs, which are helpful, but often times not enough to kick start unique and targeted vulnerability analysis. Additionally, vulnerabilities idenfitied as part of these programs may be sold on the black market. According Forbes, hackers were able to sell an iOS vulnerability on the black market for up to $250,000. While the issue of bounty programs and the questionable ethics of someone willing to sell vulnerabilities to the highest bidder is also debatable, there’s no denying that it makes doing the moral thing difficul when you’re looking down the barrel at a quarter of a million dollars.

It is important to properly incentivize security researchers to do the right thing. While there is no guarantee that these issues aren’t already discovered and being used against the end user, a concerted research effort by security professionals is needed to look for these issues to level the playing field. This research helps improve and drive the security community and should be rewarded and supported.

To be clear: the way a device is jailbroken is to find a security vulnerability, usually many security vulnerabilities strung together, in order to get an unsigned program to run on the device so we can take control of the Operating System. This is a major security issue and aren't generally the types of issues that one would stumble across in advertently.

You own your hardware and software. Jailbreaking a device gives people freedom and choice to use their hardware and software as they wish. I believe that if you purchase hardware or software (not rent or lease) that you should be able to do with that hardware and software as you wish, e.g., run other software on the hardware you’ve purchased, run a perfect out-of-the box device from the company you bought it from, or hack together a Frankenstein OS with new features and capabilities. When you buy a car or a toaster you can take it apart and build something new with the parts – doing what you wish with the end result and learning by the activity in the process. When you buy hardware or software you should be able to take it apart, learn from it, and build something new. This is fundamentally an argument for the DMCA, but it certainly applies here.

As Security Professionals using jailbroken devices helps us to assess the security of applications we are asked to assess. We can install tools which help us perform more effective application security testing on jailbroken devices for our clients (who in turn, can then deliver more secure applications and devices to their customers.) This is a win/win situation in my opinion - it makes our lives as security engineers and testers easier and ultimately makes computing safer for end-users and businesses.